June 22, 2018

The National Science Foundation Research Terms and Conditions (effective March 1, 2018) require recipients of NSF funding to protect Personally Identifiable Information within the scope of an NSF award. Article 35 states:

“Grantees that use or operate a Federal information system or create, collect, use, process, store, maintain, disseminate, disclose, or dispose of Personally Identifiable Information (PII) within the scope of an NSF award, must have procedures in place to respond to a breach of PII. These procedures should promote cooperation and the free exchange of information with NSF, as needed to properly escalate, refer and respond to a breach. Grantees will notify NSF upon learning that a breach of PII within the scope of an NSF award has occurred.”

“Personally Identifiable Information” can generally be defined as any information/data that could potentially be used to identify a specific individual. Examples include, but are not limited to, names, SSNs, driver’s license numbers, medical information, etc. A “breach” of Personally Identifiable Information can be defined as a security incident in which sensitive, protected or confidential data is suspected to have been copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. More information on Personally Identifiable Information can be found on the Committee for Protection of Human Subjects (CPHS) website.

Any suspected breach of Personally Identifiable Information that occurs within the context of an NSF supported research or training grant or contract, should be reported to the director of the Sponsored Projects Office (plfmiller@berkeley.edu) and to Berkeley Information Security. This office will validate the scope and nature of the incident and will follow up with an Incident Response Plan.

If the breach includes Personally Identifiable Information that is collected as part of an IRB approved research study or participants or trainees in an NSF Training Grant, the Office for Protection of Human Subjects (OPHS) also should be contacted as soon as possible.

We want to remind all human subjects researchers that, under the context of an IRB approved protocol, a Personally Identifiable Information breach would constitute an adverse event/unanticipated problem (loss of confidentiality) which would have to be reported to the IRB office within 7 calendar days of the Principal Investigator’s knowledge of the incident (with a formal report submitted within 14 calendar days).

Examples of data breaches include, but are not limited to:

Loss/theft of device/computer/server storing PII or documents with PII

Hacking of device/computer/server storing PII including any suspected malware or ransomware infection of device

You may sign up to receive this newsletter automatically via NSF Update. This mechanism allows you to choose to be notified about NSF programs, policies and events. To do this, navigate to www.nsf.gov, and click on the envelope icon in the “Follow Us” section of the website. After entering your e-mail address, you can select the topics you’re interested in learning about. To receive this newsletter, check the boxes for Newsletters/ Journals and Publications: Policies and Procedures.

We hope that you will find the information in this latest edition to be useful. If you have ideas for future topics to be addressed in the newsletter, please send them to policy@nsf.gov.